feat(infra): add ci for aws image push

[Sg312]

Summary

Ci for pushing images to ecr

Type of Change

• New feature

Testing

Ci, no code changes

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Ready	Preview	Comment	Sep 25, 2025 0:50am
sim	Ready	Preview	Comment	Sep 25, 2025 0:50am

[greptile-apps]

Greptile Overview

Summary

This PR introduces a comprehensive CI/CD pipeline for AWS ECR image building and ECS deployment. The workflow builds Docker images for three services (app, db, realtime) and automatically deploys them to ECS when code is pushed to main or staging branches.

Key Changes:

• Matrix-based Docker build strategy for multiple services
• Environment-specific deployment (production vs staging)
• Automated ECS service updates with task definition management
• Service stability monitoring with 30-minute timeout

Critical Security Issue:

• Line 126 uses eval echo for variable expansion, creating a code injection vulnerability if secrets contain shell metacharacters

Infrastructure Design:

• Uses CloudFormation stack discovery to find ECS services
• Updates only essential containers in task definitions
• Implements proper caching and multi-platform support

Confidence Score: 2/5

• This PR contains a critical security vulnerability that poses injection risks
• Score reflects the serious security flaw in the variable expansion logic using eval, which could allow code injection if secrets contain shell metacharacters. While the overall CI/CD structure is sound, the security issue must be resolved before merging.
• The workflow file requires immediate attention to fix the eval security vulnerability on line 126

Important Files Changed

File Analysis

Filename	Score	Overview
.github/workflows/build-ecr.yml	2/5	New CI/CD workflow for AWS ECR with build, push, and ECS deployment. Contains security vulnerability with eval command and complex matrix-based deployment logic.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant ECR as Amazon ECR
    participant CF as CloudFormation
    participant ECS as Amazon ECS
    
    Note over GH: Push to main/staging triggers workflow
    
    GH->>GH: Configure AWS credentials
    GH->>ECR: Login to ECR
    GH->>GH: Setup Docker Buildx
    
    Note over GH: Matrix build for 3 services
    loop For each service (app, db, realtime)
        GH->>GH: Generate image tags (latest/staging)
        GH->>ECR: Build and push Docker image
    end
    
    Note over GH: ECS deployment job starts after build
    loop For each stack (APP, CORE, MONITORING)
        GH->>GH: Configure AWS credentials again
        GH->>ECR: Login to ECR again
        GH->>GH: Determine stack and image details
        GH->>CF: Get ECS services from CloudFormation stack
        
        alt Services found
            loop For each ECS service
                GH->>ECS: Get current task definition
                GH->>GH: Update task definition with new image
                GH->>ECS: Register new task definition
                GH->>ECS: Update service with new task definition
                GH->>ECS: Wait for service stability (up to 30min)
            end
        else No services found
            GH->>GH: Skip deployment for this stack
        end
    end

Loading

_{1 file reviewed, 2 comments}

_{Edit Code Review Bot Settings | Greptile}